Menu
▾
▴
[Bacula-users] job dies with ERR=error:0A000119:SSL routines::decryption failed or bad record mac
|
From: Udo K. <ba...@in...> - 2025-03-05 21:12:53
|
Am 05.03.25 um 17:08 schrieb Dan Langille: > I would be curious to see if you are able to send traffic directly from host to host without any VPN involved, though I think simply testing the remote end's ability to download a large file successfully could be more important. > The hosts have been in place for years. This is not a new VPN - it's been around about 10 years. What is new: the gateway. It was replaced. It went from pfSense to vanilla FreeBSD. I think I'm missing some of the magic pfSense did in the configuration. > Hi Dan, This smells like packet size. Standard ICMP (ping) packets are too small to see anything. Did you fiddle with max-mtu/link-mtu in the OpenVPN config? Try to perform Path MTU Discovery manually (ping -M do -s xxxx <client address>). Then on the client side set OpenVPN *link-mtu* value to the actual MTU minus 28. Or rely on OpenVPN to discover the correct value by using mtu-test in the client config. The ping will fail for me on xxxx=1474 and suffice on xxxx=1472 against one of my OpenVPN clients. https://www.reddit.com/r/networking/comments/18b3y8h/packet_size_issues_over_vpn/ https://community.zyxel.com/en/discussion/14013/ssl-vpn-disconnect-due-to-invalid-packet-size Regards, Udo |
